修正phpBB 2.0.x兩個安全漏洞 (轉)
修正phpBB 2.0.x兩個安全漏洞 (轉)[@more@]BB開發組最近公佈了phpBB 2.0.x兩個的修正辦法:
1. 注射漏洞:
修改viewtopic.php。在
程式碼: if ( isset($HTTP_GET_VARS[POST_TOPIC_URL]) )
{
$topic_id = intval($HTTP_GET_VARS[POST_TOPIC_URL]);
}
else if ( isset($HTTP_GET_VARS['topic']) )
{
$topic_id = intval($HTTP_GET_VARS['topic']);
}
之前加入:
程式碼: $topic_id = $post_id = false;
將以下程式碼:
程式碼: $join_sql_table = ( !isset($post_id) ) ? '' : ", " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2 ";
$join_sql = ( !isset($post_id) ) ? "t.topic_id = $topic_id" : "p.post_id = $post_id AND t.topic_id = p.topic_id AND p2.topic_id = p.topic_id AND p2.post_id <= $post_id";
$count_sql = ( !isset($post_id) ) ? '' : ", COUNT(p2.post_id) AS prev_posts";
$order_sql = ( !isset($post_id) ) ? '' : "GROUP BY p.post_id, t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type, t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status, f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce, f.auth_pollcreate, f.auth_vote, f.auth_attachments ORDER BY p.post_id ASC";
替換為:
程式碼: $join_sql_table = ( empty($post_id) ) ? '' : ", " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2 ";
$join_sql = ( empty($post_id) ) ? "t.topic_id = $topic_id" : "p.post_id = $post_id AND t.topic_id = p.topic_id AND p2.topic_id = p.topic_id AND p2.post_id <= $post_id";
$count_sql = ( empty($post_id) ) ? '' : ", COUNT(p2.post_id) AS prev_posts";
$order_sql = ( empty($post_id) ) ? '' : "GROUP BY p.post_id, t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type, t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status, f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce, f.auth_pollcreate, f.auth_vote, f.auth_attachments ORDER BY p.post_id ASC";
2. styles_admin 越界訪問漏洞:
修改admin/admin_styles.php。
將以下程式碼:
程式碼: //
// Load default header
//
//
// Check if the user has cancled a confirmation message.
//
$phpbb__path = "./../";
$confi= ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : FALSE;
$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : FALSE;
if (empty($HTTP_POST_VARS['send_file']))
{
$no_page_header = ( $cancel ) ? TRUE : FALSE;
require($phpbb_root_path . 'extension.inc');
require('./pagestart.' . $phpEx);
}
if ($cancel)
{
redirect('admin/' . append_sid("admin_styles.$phpEx", true));
}
替換為:
程式碼: //
// Load default header
//
//
// Check if the user has cancled a confirmation message.
//
$phpbb_root_path = "./../";
require($phpbb_root_path . 'extension.inc');
$confirm = ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : FALSE;
$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : FALSE;
$no_page_header = (!empty($HTTP_POST_VARS['send_file']) || $cancel) ? TRUE : FALSE;
require('./pagestart.' . $phpEx);
if ($cancel)
{
redirect('admin/' . append_sid("admin_styles.$phpEx", true));
}
也可直接升級到phpBB 2.0.5。(hutuworm編譯)
1. 注射漏洞:
修改viewtopic.php。在
程式碼: if ( isset($HTTP_GET_VARS[POST_TOPIC_URL]) )
{
$topic_id = intval($HTTP_GET_VARS[POST_TOPIC_URL]);
}
else if ( isset($HTTP_GET_VARS['topic']) )
{
$topic_id = intval($HTTP_GET_VARS['topic']);
}
之前加入:
程式碼: $topic_id = $post_id = false;
將以下程式碼:
程式碼: $join_sql_table = ( !isset($post_id) ) ? '' : ", " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2 ";
$join_sql = ( !isset($post_id) ) ? "t.topic_id = $topic_id" : "p.post_id = $post_id AND t.topic_id = p.topic_id AND p2.topic_id = p.topic_id AND p2.post_id <= $post_id";
$count_sql = ( !isset($post_id) ) ? '' : ", COUNT(p2.post_id) AS prev_posts";
$order_sql = ( !isset($post_id) ) ? '' : "GROUP BY p.post_id, t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type, t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status, f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce, f.auth_pollcreate, f.auth_vote, f.auth_attachments ORDER BY p.post_id ASC";
替換為:
程式碼: $join_sql_table = ( empty($post_id) ) ? '' : ", " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2 ";
$join_sql = ( empty($post_id) ) ? "t.topic_id = $topic_id" : "p.post_id = $post_id AND t.topic_id = p.topic_id AND p2.topic_id = p.topic_id AND p2.post_id <= $post_id";
$count_sql = ( empty($post_id) ) ? '' : ", COUNT(p2.post_id) AS prev_posts";
$order_sql = ( empty($post_id) ) ? '' : "GROUP BY p.post_id, t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type, t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status, f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce, f.auth_pollcreate, f.auth_vote, f.auth_attachments ORDER BY p.post_id ASC";
2. styles_admin 越界訪問漏洞:
修改admin/admin_styles.php。
將以下程式碼:
程式碼: //
// Load default header
//
//
// Check if the user has cancled a confirmation message.
//
$phpbb__path = "./../";
$confi= ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : FALSE;
$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : FALSE;
if (empty($HTTP_POST_VARS['send_file']))
{
$no_page_header = ( $cancel ) ? TRUE : FALSE;
require($phpbb_root_path . 'extension.inc');
require('./pagestart.' . $phpEx);
}
if ($cancel)
{
redirect('admin/' . append_sid("admin_styles.$phpEx", true));
}
替換為:
程式碼: //
// Load default header
//
//
// Check if the user has cancled a confirmation message.
//
$phpbb_root_path = "./../";
require($phpbb_root_path . 'extension.inc');
$confirm = ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : FALSE;
$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : FALSE;
$no_page_header = (!empty($HTTP_POST_VARS['send_file']) || $cancel) ? TRUE : FALSE;
require('./pagestart.' . $phpEx);
if ($cancel)
{
redirect('admin/' . append_sid("admin_styles.$phpEx", true));
}
也可直接升級到phpBB 2.0.5。(hutuworm編譯)
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/10752043/viewspace-997952/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- 旋轉向量合成,兩個圓圈
- Nginx querystring 轉寫的兩個例子Nginx
- python 列表轉為字典的兩個小方法Python
- C#比較兩個字串的相似度【轉】C#字串
- 【轉】一個兩年Java的面試總結Java面試
- 微軟6月修正31個漏洞創單日最高記錄微軟
- Unity如何在兩個編輯器中轉移資源Unity
- JS 控制 兩個ListBox之間選擇移動項 (轉發)JS
- Linux 時間錯誤的修正Linux
- 從兩個小例子看js中的隱式型別轉換JS型別
- [轉載] 整理下java中stringBuilder和stringBuffer兩個類的區別JavaUI
- AdobeReader9.3.2釋出修補15個安全漏洞
- №20190117:因子加值數的修正賽事
- 周朝陽:修正自己,改掉不良習慣
- Octave 數字轉字元,連線兩個字串,以及如何將字串轉換為變數名稱字元字串變數
- heic格式轉換jpg怎麼轉?兩步搞定
- 裸辭兩個月,海投一個月,從Android轉戰Web前端的求職之路AndroidWeb前端求職
- 刷題系列 - 用遞迴和遍歷兩個方法反轉一個單鏈佇列遞迴佇列
- 兩張圖教你玩轉VIM!!!
- vue 跳轉的兩種方法Vue
- 烽火狼煙丨Microsoft多個安全漏洞風險提示ROS
- Echarts一個圖例可以共用兩個或者兩個以上的餅圖Echarts
- 修正FIREFOX下批量上傳的錯誤Firefox
- 修正memcache.php中的錯誤示例PHP
- flutter 修正你的 dart damn syntax 語法FlutterDart
- 【Java分享客棧】我曾經的兩個Java老師一個找不到工作了一個被迫轉行了Java
- 兩個簡單方法快速解決怎麼把kux格式轉mp4UX
- SAP MM 使用兩個STO實現免關稅跨國公司間轉儲
- 每個 node 應用可能存在的 timing-attack 安全漏洞
- Ubuntu 發行版更新 Linux 核心,修復 17 個安全漏洞UbuntuLinux
- Python中的10個常見安全漏洞及修復方法Python
- Atlas:2022年安全漏洞統計 谷歌以 1372 個位居榜首谷歌
- JavaScript 兩個++ 運算子JavaScript
- JavaScript兩個歎號(!!)JavaScript
- 分享兩個小程式
- 兩個"�"="錕斤拷"?
- 兩個星期,用Flutter擼個APPFlutterAPP
- SAP MM 使用兩個STO實現免關稅跨國公司間轉儲(III)
- SAP MM 使用兩個STO實現免關稅跨國公司間轉儲(II)